Your Aadhaar number on sale for Rs 500, all Aadhaar-linked details of 1 billion Indians leaked

Your Aadhaar number on sale for Rs 500, all Aadhaar-linked details of 1 billion Indians leaked

An investigation has revealed that sellers on WhatsApp are providing unrestricted access to over a billion Aadhaar details for just Rs 500.

advertisement

Sanket Vijayasarathy

New Delhi

January 4, 2018

UPDATED: January 4, 2018 17:24 IST

Your Aadhaar card will soon become your biggest and most important personal identification document, if it hasn't already. With all the various institutions like banks and telecom service providers now requiring you to link your Aadhaar details, your 12-digit unique ID number is now of high value, which naturally makes it a prime target for hackers. After UIDAI recently assured people in India that their "Aadhaar data is fully safe and secure," a new report has revealed that anonymous sellers on WhatsApp are selling Aadhaar details of over a billion Indians for just Rs 500.

An investigation by The Tribune has revealed that sellers on WhatsApp are providing unrestricted access to over a billion Aadhaar details for just Rs 500. The Tribune reports that a correspondent "purchased" a service from an anonymous seller on WhatsApp by paying Rs 500 via Paytm. Within minutes, the agent provided a login ID and password to a portal where the correspondent could enter any Aadhaar number and gain instant access to all of its details including name, address, phone number, photo and email.

Update: UIDAI has denied the The Tribune's investigation and is calling it a case of misreporting. It assures that there has been no Aadhaar data breach and that data is fully safe and secure. UIDAI adds that some people have misused the demographic information given to designated official, but also added that the information cannot be misused without biometrics. "UIDAI maintains complete log & traceability of the facility, any misuse is traceable. Legal action taken, including FIR against persons involved. Search facility gives limited access to name & other details, has no access to biometric details," it tweeted.

In addition to this, the sellers are also providing a "software" to allow you to print the Aadhaar card that you have accessed for Rs 300 more. This is perhaps the biggest security breach of Aadhaar seen so far and UIDAI agreed when contacted. Officials were "shocked" on hearing about the scam and have taken up the matter with UIDAI technical consultants in Bengaluru. "Except the Director-General and I, no third person in Punjab should have a login access to our official portal. Anyone else having access is illegal, and is a major national security breach," Sanjay Jindal, Additional Director-General, UIDAI Regional Centre, Chandigarh told The Tribune.

The investigation revealed that the operation started around six months ago. Some anonymous groups were created on WhatsApp who began by targeting over 3-lakh village-level enterprises (VLE) hired by Ministry of Electronics and Information Technology (ME&IT) under the Common Service Centres Scheme (CSCS), and offered them unrestricted access to all Aadhaar details that have been created so far. Initially, the CSCS was entrusted in making Aadhaar card in India, but their job was soon taken and given to post offices and designated banks in November to avoid security breaches.

Over one lakh VLE are now suspected for gaining illegal access to Aadhaar data to provide the service to people for a fee. Additionally, the hackers may have gained access to a website of the Government of Rajasthan, aadhaar.rajasthan.gov.in, as it was provided in the "software" that allows people to access and print Aadhaar cards.

This investigation has managed to uncover a major data breach and an operation that has been running for at least six months. It comes following UIDAI's claims in November that Aadhaar details were safe from breaches. However, the latest report suggests that a simple process of paying Rs 500 can allow a person to gain access to every Aadhaar card in India, which can be used for nefarious purposes in the wrong hands. Linked SIM cards and bank accounts, among other things, can be misused with this knowledge.

As of now, the UIDAI is looking into the matter and Jindal says this report can only be confirmed after a technical investigation has been conducted. Those who have an Aadhaar card can track whether there has been any misuse. The UIDAI recently introduced an option on its website to help you view the history of where your Aadhaar was used.